Network slice-specific authentication and authorization

ABSTRACT

The present disclosure relates to a pre-5 th -Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4 th -Generation (4G) communication system such as Long Term Evolution (LTE). A method, for a user equipment (UE) is disclosed. The method comprises: transmitting, by the UE to a network entity, a registration request message including a registration type information element (IE) indicating a periodic registration updating or a mobility registration updating; receiving, by the UE from the network entity, a registration accept message including a pending network slice selection assistant information (NSSAI); and determining, by the UE, that a previously received allowed NSSAI as invalid based on the registration accept message.

CROSS-REFERENCE TO RELATED APPLICATION

This application is based on and claims priority under 35 U.S.C. §119(a) to Great Britain Patent Application No. 2004657.9 filed on Mar.30, 2020 in the Great Britain Patent Office, the disclosure of which isincorporated by reference herein in its entirety.

BACKGROUND 1. Field

Certain examples of the present disclosure provide methods, apparatusand systems for performing network slice-specific authentication andauthorization. For example, certain examples of the present disclosureprovide methods, apparatus and systems for enabling correct operationsfor network slice-specific authentication and authorization in 3GPP 5G.

2. Description of the Related Art

To meet the demand for wireless data traffic having increased sincedeployment of 4G (4^(th)-Generation) communication systems, efforts havebeen made to develop an improved 5G (5^(th)-Generation) or pre-5Gcommunication system. Therefore, the 5G or pre-5G communication systemis also called a ‘beyond 4G network’ or a ‘post LTE system’.

The 5G communication system is considered to be implemented in higherfrequency (mmWave) bands, e.g., 60 GHz bands, so as to accomplish higherdata rates. To decrease propagation loss of the radio waves and increasethe transmission distance, the beamforming, massive multiple-inputmultiple-output (MIMO), full dimensional MIMO (FD-MIMO), array antenna,an analog beam forming, large scale antenna techniques are discussed in5G communication systems.

In addition, in 5G communication systems, development for system networkimprovement is under way based on advanced small cells, cloud radioaccess networks (RANs), ultra-dense networks, device-to-device (D2D)communication, wireless backhaul, moving network, cooperativecommunication, coordinated multi-points (CoMP), reception-endinterference cancellation and the like.

In the 5G system, hybrid FSK and QAM modulation (FQAM) and slidingwindow superposition coding (SWSC) as an advanced coding modulation(ACM), and filter bank multi carrier (FBMC), non-orthogonal multipleaccess (NOMA), and sparse code multiple access (SCMA) as an advancedaccess technology have been developed.

Herein, the following documents are referenced: [1] 3GPP TS 23.501V16.4.0; [2]3GPP TS 23.502 V16.4.0; and [3] 3GPP TS 24.501 V16.4.0.

In 3GPP 5G system, the following are defined (e.g., in [1]). A networkslice (NS) is defined as a logical network that provides specificnetwork capabilities and network characteristics. A network sliceinstance (NSI) is defined as a set of network function instances and therequired resources (e.g., compute, storage, and networking resources)which form a deployed NS. A network function (NF) is defined as a 3GPPadopted or 3GPP defined processing function in a network, which hasdefined functional behaviour and 3GPP defined interfaces.

ANS may be identified by single network slice selection assistanceinformation (S-NSSAI).

Overview of Network Slice-Specific Authentication and Authorization(NSSAA)

NSSAA was introduced as part of Rel-16 in 3GPP. The feature enables thenetwork to perform slice-specific authentication and authorization for aset of S-NSSAI(s) to ensure that the user is allowed to access theseslices. The procedure is executed after the 5G mobility management(5GMM) authentication procedure has been completed and also after theregistration procedure completes. The high-level description of thefeature can be found in [1] whereas further details can be found in [2]and [3]. The key points about the NSSAA procedure are summarized in thissection.

The NSSAA procedure is access independent i.e., if a slice issuccessfully authorized, then it is considered as authorized for bothaccess types (i.e., 3GPP and non-3GPP access type). The term“authorized” means that slice-specific authentication/authorization hassucceeded for a particular S-NSSAI, however this does not mean that theS-NSSAI is allowed to be used in the UE's current tracking area (TA)over the 3GPP access.

When the UE registers with the network, the UE may include a requestedNSSAI (R-NSSAI) in the registration request message if available at theUE. The following describes the network behaviour as specified in [3]:

If the UE indicated the support for network slice-specificauthentication and authorization, and:

-   -   a) if the requested NSSAI IE only includes the S-NSSAIs:        -   1) which are subject to network slice-specific            authentication and authorization; and        -   2) for which the network slice-specific authentication and            authorization procedure has not been initiated;    -   the AMF may in the REGISTRATION ACCEPT message include:        -   1) the “NSSAA to be performed” indicator in the 5GS            registration result IE set to indicate whether network            slice-specific authentication and authorization procedure            will be performed by the network;        -   2) pending NSSAI containing one or more S-NSSAIs for which            network slice-specific authentication and authorization will            be performed; and        -   3) the current registration area in the list of “non-allowed            tracking areas” in the service area list IE; or    -   b) if the requested NSSAI IE includes one or more S-NSSAIs        subject to network slice-specific authentication and        authorization, the AMF may in the REGISTRATION ACCEPT message        include:        -   1) the allowed NSSAI containing the S-NSSAIs or the mapped            S-NSSAIs which are not subject to network slice-specific            authentication and authorization or for which the network            slice-specific authentication and authorization has been            successfully performed; and        -   2) pending NSSAI containing one or more S-NSSAIs for which            network slice-specific authentication and authorization will            be performed, if any.

If the UE indicated the support for network slice-specificauthentication and authorization, and if:

-   -   a) the UE did not include the requested NSSAI in the        REGISTRATION REQUEST message or none of the S-NSSAIs in the        requested NSSAI in the REGISTRATION REQUEST message are present        in the subscribed S-NSSAIs; and    -   b) all of the S-NSSAIs in the subscribed S-NSSAIs are subject to        network slice-specific authentication and authorization;        the AMF may in the REGISTRATION ACCEPT message include:    -   a) the “NSSAA to be performed” indicator in the 5GS registration        result IE to indicate whether network slice-specific        authentication and authorization procedure will be performed by        the network;    -   b) pending NSSAI containing one or more S-NSSAIs for which        network slice-specific authentication and authorization will be        performed; and    -   c) the current registration area in the list of “non-allowed        tracking areas” in the service area list IE.

NSSAA can be re-initiated at any time as specified in section 5.15.10 of[1]:

This procedure can be invoked for a supporting UE by an AMF at any time,e.g., when:

-   -   a. The UE registers with the AMF and one of the S-NSSAIs of the        HPLMN which maps to an S-NSSAI in the requested NSSAI is        requiring network slice-specific authentication and        authorization (see clause 5.15.5.2.1 for details), and can be        added to the allowed NSSAI by the AMF once the network        slice-specific authentication and authorization for the S-NSSAI        succeeds; or    -   b. The network slice-specific AAA Server triggers a UE        re-authentication and re-authorization for an S-NSSAI; or    -   c. The AMF, based on operator policy or a subscription change,        decides to initiate the network slice-specific authentication        and authorization procedure for a certain S-NSSAI which was        previously authorized.

In the case of re-authentication and re-authorization (b. and c. above)the following applies:

If S-NSSAIs that are requiring network slice-specific authentication andauthorization are included in the allowed NSSAI for each Access Type,AMF selects an access Type to be used to perform the network slicespecific authentication and authorization procedure based on networkpolicies.

If the network slice-specific authentication and authorization for someS-NSSAIs in the allowed NSSAI is unsuccessful, the AMF may update theallowed NSSAI for each access type to the UE via UE configuration updateprocedure.

If the network slice-specific authentication and authorization fails forall S-NSSAIs in the allowed NSSAI, the AMF may execute thenetwork-initiated deregistration procedure described in TS 23.502 [2],clause 4.2.2.3.3, and may include in the explicit de-registrationrequest message the list of rejected S-NSSAIs, each of them with theappropriate rejection cause value.

Overview of S-NSSAI IE and its Handling During Roaming

The S-NSSAI IE is coded as shown in FIG. 1.

When the UE is in the home PLMN (HPLMN) then the mapped HPLMN SST (octet7) and mapped HPLMN SD (octets 8 to 10) are not applicable. In fact inthe HPLMN these octets correspond to the SST field (octet 3) and SDfield (octets 4 to 6) respectively.

On the other hand, when the UE is roaming in a visited PLMN (VPLMN) thenthe UE may contain the mapped slice information that corresponds to theslice being use in the VPLMN. For example, assume in a VPLMN 1 the UEhas the following S-NSSAI entry in the allowed NSSAI as shown in FIG. 2.

Basically, the above means that the slice [V1-Cars, V1-BMW] that isbeing accessed in VPLMN 1 corresponds to the slice [H1-Cars, H1-BMW] inthe HPLMN. It may be noted, as shown in FIG. 1, that the SD field andthe mapped HPLMN SD fields are optional.

The network slice selection assistance information (NSSAI) is a list ofsingle-NSSAI (S-NSSAL) and there are different types of NSSAIs such asthe requested NSSAI (which has at most 8 entries), allowed NSSAI (whichhas at most 8 entries), configured NSSAI (which has at most 16 entries),and the pending NSSAI (which has at most 8 entries).

The NSSAI IE is coded as shown in FIG. 3.

The requested mapped NSSAI is a type of mapped NSSAI which is coded asshown in FIG. 4.

The mapped NSSAI contains a list of mapped S-NSSAI entries, where eachmapped S-NSSAI entry is coded as shown in FIG. 5.

The requested mapped NSSAI IE is sent in roaming cases when:

-   -   the UE moves across visited PLMNs and attempts to transfer a        protocol data unit (PDU) session across these visited PLMNs,    -   the UE has an established PDU session in the source VPLMN,    -   the UE knows the mapped HPLMN slice information (i.e., the        mapped HPLMN SST and optionally the mapped HPLMN SD) of the PDU        session that is established in the source VPLMN, and    -   the UE does not have any slice information (i.e., does not have        a configured NSSAI or allowed NSSAI) for the target VPLMN.

As an example to explain this, assume the UE is in VPLMN 1 and has a PDUsession for which the S-NSSAI is {V1-Cars, H-Cars}. For simplicity, thevalue V-Cars corresponds to at least the SST field of FIG. 1 but mayalso include the SD field of FIG. 1. Similarly, for simplicity the valueH-Cars corresponds to at least the mapped HPLMN SST field of FIG. 1 butmay also include the mapped HPLMN SD field of FIG. 1.

Now if the UE moves from VPLMN 1 to a target VPLMN, say VPLMN 2, and theUE does not have any slice information for VPLMN 2, then the UE mayinclude the requested mapped NSSAI IE in the registration requestmessage that is sent in VPLMN 2. The non access stratum (NAS) messagedoes not include the requested NSSAI IE in this case since the UE doesnot have any slice information for VPLMN 2.

Now assume that the UE in VPLMN 1 had two PDU sessions each of which isassociated to one of the following S-NSSAIs:

-   -   {V1-Cars, H-Cars}; and    -   {V1-SmartPhone, H-SmartPhone}

Also, assume that the UE has the following slice information for apotential target VPLMN 2:

-   -   {V2-Cars, H-Cars}

When the UE enters VPLMN 2, the UE may include the following IEs in theregistration request message:

-   -   The requested NSSAI IE that may include the entry {V2-Cars,        H-Cars}. This IE may be sent since the UE has the slice        information for VPLMN 2 and moreover the mapped slice component        i.e., the value “H-Cars,” matches the mapped slice component of        the existing PDU session, and    -   The requested mapped NSSAI IE that may include the entry        {H-SmartPhone}. This IE may be included since the UE does not        have slice information for the VPLMN 2 that matches the mapped        slice component i.e., the value “H-SmartPhone,” of the existing        PDU session.

In the example above, the AMF may consider both the requested NSSAI IEand the requested mapped NSSAI IE for the purpose of sending an allowedNSSAI IE to the UE in the registration accept message.

Note that if, for the sake of an example and for the sake of clarifyinghow slicing works, the UE also had {V2-SmartPhone, H-SmartPhone} as aslice information for the VPLMN 2, then the UE in this case would onlyinclude the requested NSSAI IE in the registration request message sincethe mapped slice information of the existing PDU sessions from VPLMN 1match the mapped slice information of VPLMN 2. In this case therequested mapped NSSAI IE is not included in the registration requestmessage.

To summarize, it should be understood that in roaming cases the UE maysend the requested NSSAI IE only, or the requested mapped NSSAI IE, orboth the requested NSSAI IE and the requested mapped NSSAI IE in theregistration request message. Determining which IE to include depends onwhether the UE has slice information of the target VPLMN and whetherthere is a match between the mapped components of the S-NSSAIs that areassociated with the existing PDU session(s) from the source VPLMN.

Finally, what is very important to note is that if the UE receives theallowed NSSAI IE in the registration accept message, and:

-   -   the entries of the allowed NSSAI IE do not match the entire        S-NSSAI of an existing PDU session, or    -   the mapped slice information (i.e., the mapped HPLMN SST and        optionally the mapped HPLMN SD) of the entries in the allowed        NSSAI IE does not match the mapped slice information of the        existing PDU session,        then the UE may locally release the PDU session whose associated        S-NSSAI does not match any entry in the allowed NSSAI IE as        explained above. This behaviour is described in [3] as follows:    -   with respect to each of the PDU session(s) active in the UE, if        the allowed NSSAI contains neither:        -   a) an S-NSSAI matching to the S-NSSAI of the PDU session;            nor        -   b) a mapped S-NSSAI matching to the mapped S-NSSAI of the            PDU session;    -   the UE may perform a local release of all such PDU sessions        except for the persistent PDU session(s).

The above information is presented as background information only toassist with an understanding of the present disclosure. No determinationhas been made, and no assertion is made, as to whether any of the abovemay be applicable as prior art with regard to the present disclosure.

SUMMARY

It is an aim of certain examples of the present disclosure to address,solve and/or mitigate, at least partly, at least one of the problemsand/or disadvantages associated with the related art, for example atleast one of the problems and/or disadvantages described herein. It isan aim of certain examples of the present disclosure to provide at leastone advantage over the related art, for example at least one of theadvantages described herein.

The present disclosure is defined in the independent claims.Advantageous features are defined in the dependent claims.

Other aspects, advantages, and salient features will become apparent tothose skilled in the art from the following detailed description, takenin conjunction with the annexed drawings, which disclose examples of thepresent disclosure.

Before undertaking the DETAILED DESCRIPTION below, it may beadvantageous to set forth definitions of certain words and phrases usedthroughout this patent document: the terms “include” and “comprise,” aswell as derivatives thereof, mean inclusion without limitation; the term“or,” is inclusive, meaning and/or; the phrases “associated with” and“associated therewith,” as well as derivatives thereof, may mean toinclude, be included within, interconnect with, contain, be containedwithin, connect to or with, couple to or with, be communicable with,cooperate with, interleave, juxtapose, be proximate to, be bound to orwith, have, have a property of, or the like; and the term “controller”means any device, system or part thereof that controls at least oneoperation, such a device may be implemented in hardware, firmware orsoftware, or some combination of at least two of the same. It should benoted that the functionality associated with any particular controllermay be centralized or distributed, whether locally or remotely.

Moreover, various functions described below can be implemented orsupported by one or more computer programs, each of which is formed fromcomputer readable program code and embodied in a computer readablemedium. The terms “application” and “program” refer to one or morecomputer programs, software components, sets of instructions,procedures, functions, objects, classes, instances, related data, or aportion thereof adapted for implementation in a suitable computerreadable program code. The phrase “computer readable program code”includes any type of computer code, including source code, object code,and executable code. The phrase “computer readable medium” includes anytype of medium capable of being accessed by a computer, such as readonly memory (ROM), random access memory (RAM), a hard disk drive, acompact disc (CD), a digital video disc (DVD), or any other type ofmemory. A “non-transitory” computer readable medium excludes wired,wireless, optical, or other communication links that transporttransitory electrical or other signals. A non-transitory computerreadable medium includes media where data can be permanently stored andmedia where data can be stored and later overwritten, such as arewritable optical disc or an erasable memory device.

Definitions for certain words and phrases are provided throughout thispatent document, those of ordinary skill in the art should understandthat in many, if not most instances, such definitions apply to prior, aswell as future uses of such defined words and phrases.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure and itsadvantages, reference is now made to the following description taken inconjunction with the accompanying drawings, in which like referencenumerals represent like parts:

FIG. 1 illustrates an S-NSSAI information element;

FIG. 2 illustrates an example S-NSSAI value;

FIG. 3 illustrates an NSSAI information element;

FIG. 4 illustrates a mapped NSSAI information element;

FIG. 5 illustrates a mapped S-NSSAI content; and

FIG. 6 is a block diagram of an exemplary network entity that may beused in certain examples of the present disclosure.

DETAILED DESCRIPTION

FIGS. 1 through 6, discussed below, and the various embodiments used todescribe the principles of the present disclosure in this patentdocument are by way of illustration only and should not be construed inany way to limit the scope of the disclosure. Those skilled in the artwill understand that the principles of the present disclosure may beimplemented in any suitably arranged system or device:

The following description of examples of the present disclosure, withreference to the accompanying drawings, is provided to assist in acomprehensive understanding of the present disclosure, as defined by theclaims. The description includes various specific details to assist inthat understanding but these are to be regarded as merely exemplary.Accordingly, those of ordinary skill in the art will recognize thatvarious changes and modifications of the examples described herein canbe made without departing from the scope of the disclosure.

The same or similar components may be designated by the same or similarreference numerals, although the same or similar components may beillustrated in different drawings.

Detailed descriptions of techniques, structures, constructions,functions or processes known in the art may be omitted for clarity andconciseness, and to avoid obscuring the subject matter of the presentdisclosure.

The terms and words used herein are not limited to the bibliographicalor standard meanings, but, are merely used to enable a clear andconsistent understanding of the disclosure.

Throughout the description and claims of this specification, the words“comprise”, “include” and “contain” and variations of the words, forexample “comprising” and “comprises”, means “including but not limitedto”, and is not intended to (and does not) exclude other features,elements, components, integers, steps, processes, operations, functions,characteristics, properties and/or groups thereof.

Throughout the description and claims of this specification, thesingular form, for example “a”, “an” and “the”, encompasses the pluralunless the context otherwise requires. For example, reference to “anobject” includes reference to one or more of such objects.

Throughout the description and claims of this specification, language inthe general form of “X for Y” (where Y is some action, process,operation, function, activity or step and X is some means for carryingout that action, process, operation, function, activity or step)encompasses means X adapted, configured or arranged specifically, butnot necessarily exclusively, to do Y.

Features, elements, components, integers, steps, processes, operations,functions, characteristics, properties and/or groups thereof describedor disclosed in conjunction with a particular aspect, embodiment,example or claim of the present disclosure are to be understood to beapplicable to any other aspect, embodiment, example or claim describedherein unless incompatible therewith.

Certain examples of the present disclosure provide methods, apparatusand systems for performing network slice-specific authentication andauthorization. The following examples are applicable to, and useterminology associated with, 3GPP 5G. For example, certain examples ofthe present disclosure provide methods, apparatus and systems forenabling correct operations for network slice-specific authenticationand authorization in 3GPP 5G. However, the skilled person willappreciate that the techniques disclosed herein are not limited to theseexamples or to 3GPP 5G, and may be applied in any suitable system orstandard, for example one or more existing and/or future generationwireless communication systems or standards.

For example, the functionality of the various network entities and otherfeatures disclosed herein may be applied to corresponding or equivalententities or features in other communication systems or standards.Corresponding or equivalent entities or features may be regarded asentities or features that perform the same or similar role, function,operation or purpose within the network. For example, the functionalityof the AMF in the examples below may be applied to any other suitabletype of entity performing mobility management functions.

The skilled person will appreciate that the present disclosure is notlimited to the specific examples disclosed herein. For example:

-   -   The techniques disclosed herein are not limited to 3GPP 5G;    -   One or more entities in the examples disclosed herein may be        replaced with one or more alternative entities performing        equivalent or corresponding functions, processes or operations;    -   One or more of the messages in the examples disclosed herein may        be replaced with one or more alternative messages, signals or        other type of information carriers that communicate equivalent        or corresponding information;    -   One or more further elements, entities and/or messages may be        added to the examples disclosed herein;    -   One or more non-essential elements, entities and/or messages may        be omitted in certain examples;    -   The functions, processes or operations of a particular entity in        one example may be divided between two or more separate entities        in an alternative example;    -   The functions, processes or operations of two or more separate        entities in one example may be performed by a single entity in        an alternative example;    -   Information carried by a particular message in one example may        be carried by two or more separate messages in an alternative        example;    -   Information carried by two or more separate messages in one        example may be carried by a single message in an alternative        example;    -   The order in which operations are performed may be modified, if        possible, in alternative examples; and    -   The transmission of information between network entities is not        limited to the specific form, type and/or order of messages        described in relation to the examples disclosed herein.

Certain examples of the present disclosure may be provided in the formof an apparatus/device/network entity configured to perform one or moredefined network functions and/or a method therefor. Certain examples ofthe present disclosure may be provided in the form of a system (e.g., anetwork) comprising one or more such apparatuses/devices/networkentities, and/or a method therefor.

For example, in the following examples, a network may include a userequipment (UE), and an access and mobility management function (AMF)entity.

The 5G core (5GC) AMF receives all connection and session relatedinformation from the UE (N1/N2) but is responsible only for handlingconnection and mobility management tasks. All messages related tosession management are forwarded over the N11 reference interface to thesession management function (SMF). The AMF performs the role of accesspoint to the 5GC. The functional description of AMF is given in 3GPP TS23.501 V16.3.0, clause 6.2.1.

At least the following problems exist in view of the related art:

1. NSSAA does not Consider the Requested Mapped NSSAI IE and the UE MayIncorrectly Release a PDU Session Thereby Impacting the User'sExperience

As described above, when the UE is roaming, the UE may include therequested NSSAI IE only, the requested mapped NSSAI IE only, or both therequested NSSAI IE and the requested mapped NSSAI IE in the registrationrequest message.

The current NSSAA procedure does not consider UEs that are roaming andhence it is unclear what the AMF may do when the requested mapped NSSAIIE is received and how this impacts NSSAA.

In relation to roaming, as also mentioned above, when the UE receives anallowed NSSAI IE in the registration accept message for which no S-NSSAIentry of the allowed NSSAI, or no mapped S-NSSAI component of theS-NSSAI entries in the allowed NSSAI match the mapped S-NSSAIinformation of an existing PDU session, the UE may perform a localrelease of these PDU sessions. This may be incorrect behaviour that maylead to an unnecessary release of the PDU session and disruption to theuser experience. For example, the allowed NSSAI may not include such anS-NSSAI that would match the slice information of an existing PDUsession because the slice is subject to NSSAA. Hence, the sliceinformation, for which there is a potential match, may be in the pendingNSSAI IE and therefore considering only the allowed NSSAI IE in thiscase can lead to an early and incorrect release of the PDU sessionlocally in the UE.

2. Collisions of Procedures have not been Considered

The NAS specification [3] usually considers collisions of different NASprocedures or messages and specifies which procedure or message may beprioritized in some cases depending on the colliding procedures inquestion. There are some collision cases that can occur during NSSAAthat have not yet been considered thereby leaving the UE and networkbehaviour unclear when such cases arise. The following cases areidentified as lacking any defined behaviour.

Case 1: A Collision of an Authentication Procedure and NSSAA Procedure

As stated above, NSSAA may occur after the authentication procedurecompletes. However, it is possible that the same AMF that initiates anNSSAA procedure may also initiate an authentication procedure. This isbecause the re-initiation of the authentication procedure can happen atany time in connected mode. For example, assume the UE is registeredover one access e.g., say the 3GPP access, the UE is in connected mode,and the network is performing NSSAA. Then the UE registers over a secondaccess, e.g., say the non-3GPP access, to the same PLMN or AMF. The AMFmay have a policy to run authentication for every initial registration.In this case, although NSSAA is ongoing, the AMF may initiate theauthentication procedure and send the Authentication request message tothe UE. At the UE, the authentication request message may be receivedafter (or before) a network slice-specific authentication commandmessage is received in the UE but before the UE responds with thenetwork slice-specific authentication complete message, then there hasto be specified behaviour for the UE to follow in terms of which messageneeds to be prioritized. The same question can be asked for the AMFi.e., if the AMF sends the authentication request message after sendinga network slice-specific authentication command message to the UE, andthe AMF has not yet received the authentication response but receivesthe network slice-specific authentication complete message, then it isnot clear if the AMF may accept the latter or wait for theauthentication procedure to complete.

Case 2: A Collision of a Generic UE Configuration Update Procedure andNSSAA Procedure

The generic UE configuration update procedure can be initiated at anytime when the UE is in connected mode. Similarly, the NSSAA procedurecan be initiated at any time for a UE that is in connected mode. Assuch, these procedures may collide and the related messages may be sentby the AMF at approximately the same time thereby the UE receives thesemessages at approximately the same time. The NAS specification [3]usually defines the behaviour for the recipient in collision caseshowever the current specification has not defined the behaviour for thecollision of these procedures. Certain examples of the presentdisclosure aim to solve this problem by specifying the correct behaviourto mitigate such collisions.

Case 3: A Collision of a Service Request Procedure and NSSAA Procedure

The UE can initiate the service request procedure when in connectedmode. At the same time, the network may initiate NSSAA for the UE inconnected mode. For example, the UE can be in 5GMM-CONNECTED mode overthe non-3GPP access and then the UE performs a registration procedureover the 3GPP access. The AMF may indicate that NSSAA may be performedin the 5GS registration result IE and may include the pending NSSAI IEin the registration accept message but the AMF may not include theallowed NSSAI IE in the NAS message. At the same time, or approximatelythe same time, the UE may send the service request message over thenon-3GPP access although the existing requirement is such that this maynot happen. There is currently no mechanism to handle this collision.

3. Lack of Methods to Handle Abnormal Cases

The NAS specification [3] handles abnormal cases that can occur anddescribes a method for recovering from them.

Case 1: Transmission Failure of the Network Slice-SpecificAuthentication Complete Message with TAI Change from Lower Layers

The following abnormal case has been identified for NSSAA in section5.4.7.2.4 in [3]:

-   -   a) Transmission failure of the NETWORK SLICE-SPECIFIC        AUTHENTICATION COMPLETE message with TAI change from lower        layers

If the current TAI is not in the TAI list, the network slice-specificauthentication and authorization procedure may be aborted and aregistration procedure for mobility and periodic registration updateindicating “mobility registration updating” in the 5GS registration typeIE of the REGISTRATION REQUEST message may be initiated.

If the current TAI is still part of the TAI list, it is up to the UEimplementation how to re-run the ongoing procedure that triggered thenetwork slice-specific authentication and authorization procedure.

The case above means that the UE, during an ongoing NSSAA enters a newtracking area identity (TAI) that is not in the UE's current list ofTAIs and therefore the UE would need to perform a registration procedureagain.

Although the behaviour above is fine, what is not yet considered is howthe UE handles the requested NSSAI IE that may be sent in theregistration request procedure.

It may be noted that there is a requirement that the UE with a pendingNSSAI may not include the S-NSSAIs in the pending NSSAI if the UE sendsa registration request again except when specific conditions occur.However, before entering a new TAI as described above, the UE may havereceived a pending NSSAI IE but no allowed NSSAI IE, or the UE may havereceived both IEs. In any cases, as the UE is moving into a new TAI,this new area may be served by a new AMF. Therefore, if the UE does notsend the requested NSSAI IE again, then the determination (by the AMF)of the entries of the allowed NSSAI IE would be different as compared tothe case when the UE actually sends a requested NSSAI IE. Hence, notsending the requested NSSAI IE may be led to an incorrect behaviour andundesirable outcome. The present disclosure analyses different cases todetermine whether or not the requested NSSAI IE may be included in theregistration request message following the abnormal case in an effort toavoid undesirable outcomes.

Case 2: NSSAA Performed for an S-NSSAI that is in the Allowed NSSAI Listor is not in the Pending NSSAI

The UE may register with the network e.g., at initial registration, andget an allowed NSSAI with an S-NSSAI entry, say for example S-NSSAI X.The network may also provide a pending NSSAI list in the registrationaccept message for which NSSAA is to be performed.

The UE may then receive the network slice-specific authenticationcomplete message for an S-NSSAI, say S-NSSAI X, that is already in theallowed NSSAI list in the UE or is not in the pending NSSAI list in theUE. This is an abnormal case and the UE behaviour has not yet beendefined to handle such a scenario.

Case 3: Unnecessary Release of a NAS Connection

To avoid the unnecessarily maintenance of a NAS connection, the UEstarts the timer T3540 in some cases to guard a maximum period of timeduring which the network is expected to release the NAS signallingconnection. The cases for which the UE starts T3540 are described insection 5.3.1.3 of the NAS specification in [3].

However, the current conditions for the start of T3540 (which whenexpires may lead to the local release of the NAS connection in the UE),specifically associated with the registration procedure, are notcomplete and hence need to be updated. Otherwise, the NAS connection maybe released earlier than needed.

4. Issue with Prohibiting the Service Request Procedure During NSSAA

The AMF may indicate that NSSAA is pending by including the “NSSAA to beperformed” indicator in the 5GS registration result IE and the AMF mayinclude the pending NSSAI IE without including the allowed NSSAI IE inthe registration accept message. In this case, the UE is not allowed toperform a service request procedure except for emergency services, orhigh priority access, or for responding to paging or notification overnon-3 GPP access.

However, the UE may be in 5GMM-CONNECTED mode over the non-3GPP accesswhile NSSAA is ongoing. It is already an existing trigger that if thelower layer connection of the non-3 GPP access is lost, then the UE mayperform a service request procedure to re-establish the NAS connectionwhen the lower layers (of the non-3 GPP access) indicate that theconnection has been regained as specified in section 5.6.1.1 of [3]:

This procedure is used when:

-   -   the UE in 5GMM-IDLE mode over non-3GPP access, receives an        indication from the lower layers of non-3GPP access, that the        access stratum connection is established between UE and network;        or . . .

However, the prohibition of the service request procedure due to theongoing NSSAA leads to contradictory requirement at the UE where:

-   -   on one hand the loss of the lower layer connection requires the        initiation of the service request procedure, and    -   on the other hands the ongoing NSSAA procedure prohibits the        initiation of the service request procedure as the loss of the        lower layer connection is not one of the identified exceptions        for initiating the service request procedure.        5. Fallback Indication from Lower Layers and the UE has NSSAA        Complete Message to Send

The UE in 5GMM-CONNECTED mode may receive a fallback indication from thelower layers as described in section 5.3.1.2 of the NAS specification in[3] (reproduced below for reference):

When the UE in 5GMM-CONNECTED mode over 3GPP access receives a fallbackindication from lower layers, and the UE has no pending NAS procedureand no pending uplink user data for PDU session(s) with user-planeresources already established, the UE may:

-   -   a) enter 5GMM-IDLE mode; and    -   b) initiate the registration procedure for mobility and periodic        registration update and include the Uplink data status IE in the        registration request message indicating the PDU session(s) for        which user-plane resources were active prior to receiving the        fallback indication, if any (see subclause 5.5.1.3 for further        details).

When the UE in 5GMM-CONNECTED mode over 3GPP access receives a fallbackindication from lower layers, and the UE has pending uplink user datafor PDU session(s) with user-plane resources already established but nopending NAS procedure, the UE may:

-   -   a) enter 5GMM-IDLE mode; and    -   b) initiate the service request procedure and include the Uplink        data status IE in the SERVICE REQUEST message indicating the PDU        session(s) for which user-plane resources were active prior to        receiving the fallback indication (see subclause 5.6.1 for        further details).

When the UE in 5GMM-CONNECTED mode over 3GPP access receives a fallbackindication from lower layers, and the UE has a pending registrationprocedure, a service request procedure, or a de-registration procedure,the UE may:

-   -   a) enter 5GMM-IDLE mode;    -   b) proceed with the pending procedure; and    -   c) if the pending procedure is a service request or registration        procedure, the UE may include the Uplink data status IE in the        service request message, or in the registration request message,        indicating the PDU session(s) for which user-plane resources        were not active prior to receiving a fallback indication from        the lower layers and the UE has pending user data to be sent        over 3GPP access, if any, and the PDU session(s) for which        user-plane resources were active prior to receiving the fallback        indication, if any (see subclauses 5.5.1.3 and 5.6.1 for further        details).

When the UE in 5GMM-CONNECTED mode over 3GPP access receives a fallbackindication from lower layers, and the UE has a pending NAS procedureother than a registration procedure, a service request procedure, or ade-registration procedure, the UE may:

-   -   a) enter 5GMM-IDLE mode;    -   b) initiate the service request procedure and include the Uplink        data status IE in the service request message indicating the PDU        session(s) for which user-plane resources were active prior to        receiving the fallback indication, if any (see subclause 5.6.1        for further details); and    -   c) upon successful service request procedure completion, proceed        with any pending procedure.

The cases above apply when the UE is in an allowed area or when the UEis not in a non-allowed area.

When the UE:

-   -   a) is in a non-allowed area or is not in an allowed area;    -   b) is in 5GMM-CONNECTED mode over 3GPP access;    -   c) receives a fallback indication from lower layers; and    -   d) does not have signalling pending,

the UE may:

-   -   a) enter 5GMM-IDLE mode; and    -   b) initiate the registration procedure for mobility and periodic        registration update. The UE may not include the Uplink data        status IE in the registration request message except if the PDU        session for which user-plane resources were active is an        emergency PDU session, or if the UE is configured for high        priority access in the selected PLMN.

In the above cases when the UE receives a fallback indication from lowerlayers, if the UE is in non-allowed area or not in allowed area, the UEmay behave as specified in subclause 5.3.5.

A particular behaviour to note is that if the UE has a pending procedurethat is not a registration procedure, not a service request procedure,and not a deregistration procedure, then after reception of a fallbackindication from the lower layers the UE may initiate a service requestprocedure from idle mode and after the completion of the procedure theUE continues with the pending NAS procedure.

During a registration procedure, the UE may receive a pending NSSAI listin the registration accept message and the network may then start NSSAA.The UE may receive the network slice-specific authentication commandmessage and the UE may have to respond to this message and hence the UEhas a pending NAS message that is not a registration procedure, not aservice request procedure, and not a deregistration procedure. The UEmay then receive a fallback indication from the lower layers. Sincethere are some requirements that the UE may not initiate a servicerequest procedure during NSSAA, optionally when no allowed NSSAI isavailable in the UE, then the recovery from fallback would contradictthat requirement. The UE behaviour needs to be defined in this case suchthat the proper recovery from fallback can occur.

6. Handling of Timer T3346 when the UE Receives a NAS Message for NSSAA

The UE may be in 5GMM-CONNECTED mode with the NAS congestion controltimer T3346 running. The UE may then receive a network slice-specificauthentication command message for NSSAA. Currently, the UE does notstop the timer T3346 if it is running and this is an incorrectbehaviour.

7. Impacts to NSSAA During a Registration Procedure for PeriodicUpdating

The UE is not mandated to send the requested NSSAI during periodicregistration which means that the NSSAI information that is requested bythe UE has not changed since the last signalling or registration withthe network. However, if the allowed NSSAI has changed for the UE, theAMF can provide a new allowed NSSAI in the registration accept message.

Currently, the providing an allowed NSSAI and/or a pending NSSAI to theUE during a registration procedure depends on whether or not the UE senta requested NSSAI and the contents of the requested NSSAI. For example,the UE may not have any slice information for the current PLMN and hencemay not send a requested NSSAI although the registration is nottriggered due to periodic registration. In this case, the AMF mayconsider the default slices for the UE.

However as mentioned above, since the UE does not provide a requestedNSSAI during periodic registration, the AMF may consider the defaultslices for the UE and therefore provide the wrong allowed NSSAI.Therefore, the current procedure for NSSAA needs to consider whether ornot the UE is performing a periodic registration and determine thecontents of the pending NSSAA accordingly. The current handling of theregistration request message currently does not consider this aspect andhence needs to be updated for a correct handling and execution of theNSSAA procedure.

In view of the above problems, certain examples of the presentdisclosure provide one or more of the following solutions.

1. Solution to Enable NSSAA During Roaming Cases (and Non-Roaming Cases)

As described above, the roaming UE may include the requested mappedNSSAI IE in the registration request message and the S-NSSAI(s) includedin this IE may be subject to NSSAA.

Therefore, it is provided that the AMF may also consider and take intoaccount the mapped S-NSSAI content in the requested mapped NSSAI IE forNSSAA optionally in addition to the S-NSSAI entries of the requestedNSSAI IE if the latter is also included in the registration requestmessage.

In addition to the current behaviour, the AMF may also perform thefollowing actions:

-   -   If the UE does not support NSSAA, the UE sent the requested        mapped NSSAI IE in the registration request and the S-NSSAI        entries in the IE are subject to NSSAA, and optionally        -   the requested NSSAI IE is not included in the registration            request message, or        -   the requested NSSAI IE is included in the registration            request message and the entries in the requested NSSAI IE            are subject to NSSAA,    -   then the AMF may reject the registration by sending the        registration reject message and include the 5GMM cause #62 “No        network slices available” and the AMF may also include the        rejected NSSAI IE. In this case, the SST field of the rejected        S-NSSAI may be set to the mapped HPLMN SST that was included in        the requested mapped NSSAI IE, and for which NSSAA is required,        and the SD field of the rejected S-NSSAI may be set to the        mapped HPLMN SD field if the latter was included in the        requested mapped NSSAI IE.    -   If the entries in the requested mapped NSSAI are not subject to        NSSAA and the AMF's policy allows that these slices can be used        by the UE and the associated PDU session is allowed to be        transferred, then the AMF may include the corresponding S-NSSAI        in the allowed NSSAI IE and send the IE to the UE in the        registration accept message.    -   If the UE supports NSSAA and the UE included the requested        mapped NSSAI IE in the registration request message for which        the entries in the requested mapped NSSAI are subject to NSSAA,        the AMF may include the corresponding S-NSSAIs in the pending        NSSAI IE and send the IE to the UE in the registration accept        message. Note that the pending NSSAI IE may also include entries        from the requested NSSAI IE if the latter was included by the UE        in the registration request message.    -   When rejecting a registration request message from the UE due to        NSSAA, the AMF may also consider different cases i.e., it may        consider whether the requested mapped NSSAI IE is included or        the requested NSSAI IE is included in the message. The AMF        behaviour is provided to be as follows:        -   If the registration request message included the requested            mapped NSSAI IE but did not include the requested NSSAI IE            and NSSAA is revoked or failed for all the entries in the            requested mapped NSSAI IE (or all the entries are rejected            for the current registration area or rejected for the            current PLMN), and optionally there is no entry for which            the network allows the UE to use without NSSAA or there is            no default S-NSSAI that is allowed for the UE, then the            network may send the registration reject and include the            rejected NSSAI IE. For each of the rejected S-NSSAI entry in            the rejected NSSAI IE, the AMF may set the reject cause to            “S-NSSAI is not available due to the failed or revoked            network slice-specific authentication and authorization.”        -   If the registration request message included the requested            mapped NSSAI IE and also the requested NSSAI IE, and NSSAA            is revoked or failed for all the entries in both IEs (or all            the entries are rejected for the current registration area            or rejected for the current PLMN), and optionally there is            no entry in any of these IEs for which the network allows            the UE to use without NSSAA or there is no default S-NSSAI            that is allowed for the UE, then the network may send the            registration reject and include the rejected NSSAI IE. For            each of the rejected S-NSSAI entry in the rejected NSSAI IE,            the AMF may set the reject cause to “S-NSSAI is not            available due to the failed or revoked network            slice-specific authentication and authorization.” The            Deregistration request message may include the 5GMM cause            indicating #62 “No network slices available.”        -   When the AMF sends the rejected NSSAI IE due to failure of            NSSAA, or revocation of NSSAA, or the UE does not support            NSSAA but all the S-NSSAIs that the UE requested (either in            the requested mapped NSSAI IE, or in the requested NSSAI IE,            or both) are subject to NSSAA, then the entries in the            rejected NSSAI IE may be set to the mapped S-NSSAI (i.e.,            the S-NSSAI of the HPLMN). The registration reject message            may include the 5GMM cause indicating #62 “No network slices            available.”        -   Alternatively, when any of the above occurs for a UE in            connected mode, i.e., when the AMF considers the contents of            the requested mapped NSSAI IE and/or the contents of the            requested NSSAI IE, and NSSAA fails for all the entries in            the IEs, and optionally there is no default slices that are            allowed for the UE, or optionally there entries in the IEs            are rejected for the current PLMN or registration area, then            the AMF may send the Deregistration request message and set            the 5GMM cause to #62 “No network slices available.” The AMF            may also include the rejected NSSAI.

When NSSAA is to be performed, the UE may receive the registrationaccept message with a pending NSSAI IE and optionally an allowed NSSAIIE. According to current behaviour, if the UE receives the allowed NSSAIIE for which there is no match between the S-NSSAI entries and theS-NSSAI that is associated with a PDU session, or between the mappedS-NSSAI (of the allowed NSSAI entries) and the mapped S-NSSAI that isassociated with a PDU session, then the UE may locally release the PDUsession for which there is no match as described above.

However, during NSSAA, an S-NSSAI that is associated with a PDU sessionmay not be in the allowed NSSAI IE but may be in the pending NSSAI IE.Therefore, the UE which supports NSSAA may not ignore the contents ofthe pending NSSAI IE before concluding or determining that a PDU sessionmay be released. Therefore, it is provided that:

-   -   If the UE receives an allowed NSSAI IE and a pending NSSAI IE,        then even if there is no match between the:        -   S-NSSAIs in the allowed NSSAI IE and the S-NSSAI for each            and every PDU session, or        -   mapped S-NSSAI of the entries in the allowed NSSAI IE and            the mapped S-NSSAI for each and every PDU session,    -   then the UE may check for a match, as described above i.e.,        between:        -   the S-NSSAI entries in the pending S-NSSAI IE and the            S-NSSAI of each and every PDU session, or        -   mapped S-NSSAI of the entries in the pending NSSAI IE and            the mapped S-NSSAI for each and every PDU session.

If there is a match, then the UE may not release the PDU session forwhich the match occurred and may wait to determine if the session may bereleased after NSSAA completes and after the UE gets the allowed NSSAIIE for which it may perform the check again. Optionally the UE performsthe check again (e.g., on the allowed NSSAI entries) after the pendingNSSAI list is empty.

If there is no match, as described above, with any entry of the pendingNSSAI IE, then the UE may (for each PDU session for which a match didnot occur) release the PDU session locally except for persistent PDUsessions or a PDU session for emergency services.

-   -   If the UE does not receive the allowed NSSAI IE but receives the        pending NSSAI IE, then the UE may maintain the PDU session until        the allowed NSSAI IE is received after which the UE performs the        check as described above and determine whether or not a PDU        session may be released.        -   Alternatively, the UE may perform the check against the            entries in the pending NSSAI IE as described above i.e., the            UE checks for a match between:            -   the S-NSSAI entries in the pending S-NSSAI IE and the                S-NSSAI of each and every PDU session, or            -   mapped S-NSSAI of the entries in the pending NSSAI IE                and the mapped S-NSSAI for each and every PDU session.

If there is a match, the UE maintains the PDU session for which thematch occurred until the allowed NSSAI IE is received after which the UEperforms the check again and then determines whether or not a PDUsession may be released.

If there is no match, as described above, with any entry of the pendingNSSAI IE, then the UE may release the PDU session locally except forpersistent PDU sessions or a PDU session for emergency services.

The provided embodiment above can also be achieved by the followingchecks at the UE:

With respect to each of the PDU session(s) active in the UE, if the UEdoes indicate support for network slice-specific authentication andauthorization and:

-   -   1) if the UE received a pending NSSAI but no allowed NSSAI, and        every mapped S-NSSAI in the pending NSSAI does not match with        the mapped S-NSSAI of the PDU session;    -   2) if the UE received a pending NSSAI and an allowed NSSAI, and        -   i) the allowed NSSAI contains neither:            -   A) an S-NSSAI matching to the S-NSSAI of the PDU                session; nor            -   B) a mapped S-NSSAI matching to the mapped S-NSSAI of                the PDU session; and        -   ii) every mapped S-NSSAI in the pending NSSAI does not match            with the mapped S-NSSAI of the PDU session; or    -   3) if the UE received an allowed NSSAI but no pending NSSAI, and        the allowed NSSAI contains neither:        -   i) an S-NSSAI matching to the S-NSSAI of the PDU session;            nor        -   ii) a mapped S-NSSAI matching to the mapped S-NSSAI of the            PDU session;            the UE may perform a local release of all such PDU sessions            except for an emergency PDU session, if any.

Optionally, the UE may always maintain the PDU sessions as long as theUE has a pending NSSAI that is not empty, or optionally as long as the5GS registration result IE indicates “NSSAA to be performed.” When theUE receives an allowed NSSAI and/or rejected NSSAI such that as part ofstoring this information the UE's pending NSSAI becomes empty, the UEthen performs the check against the allowed NSSAI (as currentlyspecified in TS 24.501 and also described above) to determine if thesession may be maintained or not. In other words, the UE maintains thePDU sessions until the UE receives an allowed NSSAI and/or the UE'spending NSSAI is empty, and then the UE checks the allowed NSSAI for amatch between the:

-   -   S-NSSAIs in the allowed NSSAI IE and the S-NSSAI for each and        every PDU session, or    -   mapped S-NSSAI of the entries in the allowed NSSAI IE and the        mapped S-NSSAI for each and every PDU session.

If there is no match as described above, then the UE releases the PDUsession for which there is no match, except a PDU session for emergencyservices or high priority access.

Note that the provided embodiments above apply even for non-roamingcases i.e., even if the UE did not send the requested mapped NSSAI IE.Note that the above provided embodiments also apply for the case whenthe UE performs an inter-system change from S1 mode (i.e., from EPS) toN1 mode (i.e., to 5GS) and optionally when the N26 interface issupported in the system.

Moreover, the check as described above can also be made between what theUE sends in the {requested NSSAI IE or the requested mapped NSSAI IE}and the entries of {the allowed NSSAI IE or the pending NSSA IE}.

Note that some or all of the checks above (i.e., the checks in the UE todetermine whether or not a PDU session may be locally released based onthe received NSSAI information) may also be performed when the UEreceives the same information or a subset of the information (i.e.,allowed NSSAI only, or pending NSSAI only, or both allowed NSSAI andpending NSSAI) in the configuration update command message.

Note that the term “mapped S-NSSAI in the pending NSSAI” also refers toan S-NSSAI entry in the pending NSSAI.

2. Solution to Handle Collisions Between NSSAA Procedure and OtherProcedures

Case 1: Solution for Collision Between an Authentication Procedure andNSSAA Procedure

As described above, during NSSAA, the network may initiate an NSSAAprocedure and then initiate an authentication procedure.

If the UE receives the network slice-specific authentication commandmessage over any access type (e.g., 3GPP access or non-3GPP access) and(approximately at the same time or shortly after) the UE also receivesthe Authentication request message over any access type (e.g., 3GPPaccess or non-3GPP access), where the access type over which one of theNAS messages is not necessarily the same as the access type over whichthe other NAS message is received, then the UE may ignore or abort theNSSAA procedure (i.e., ignore the network slice-specific authenticationcommand message) and continue with the authentication procedure (i.e.,process the Authentication request message). Alternatively, the UE mayfirst process the Authentication request message and first successfullycomplete the procedure for authentication and optionally for securitymode control before responding to the network slice-specificauthentication command message. In this case, the UE may only send thenetwork slice-specific authentication complete message after sending theauthentication response or security mode complete message.

Note that the provided embodiment above applies to a collision betweenthe NSSAA procedure and a security control procedure.

Hence if the UE receives a network slice-specific authentication commandmessage over an access type and (approximately at the same time orshortly after) the UE also receives a security mode command message overthe same access type then the UE may prioritize handling the securitymode command message (i.e., may prioritize the security mode controlprocedure) over the network slice-specific authentication commandmessage (i.e., over the NSSAA procedure). The UE may ignore the networkslice-specific authentication command message (i.e., ignore or abort theNSSAA procedure) and process the security mode command message (i.e.,continue with the security mode control procedure). Alternatively, theUE may first complete the ongoing security mode control procedure andafter the successful completion of the procedure (i.e., after the UEsends the Security Mode Complete message) the UE can then process thenetwork slice-specific authentication command message and potentiallyrespond with the network slice-specific authentication complete message.

Case 2: Solution for Collision Between a Generic UE Configuration UpdateProcedure and NSSAA Procedure

As described above, during NSSAA, the network may initiate an NSSAAprocedure and then initiate a generic UE configuration update procedure.If the UE receives the network slice-specific authentication commandmessage over any access type (e.g., 3GPP access or non-3GPP access) and(approximately at the same time or shortly after) the UE also receivesthe configuration update command message over any access type (e.g.,3GPP access or non-3GPP access), where the access type over which one ofthe NAS messages is not necessarily the same as the access type overwhich the other NAS message is received, and if the configuration updatecommand message indicates that a registration is required (e.g., withthe “registration requested” bit of the configuration update indicationIE or any other means that can be used to indicate that a registrationis required) then the UE may ignore or abort the NSSAA procedure (i.e.,ignore the network slice-specific authentication command message) andproceed with the generic UE configuration update procedure (i.e.,process the configuration update command message).

-   -   Alternatively, the provided embodiment above may be applied if        the configuration update command message does not contain any        parameter other than the indication to register (e.g., the        message contains no other IE except the configuration update        indication IE).    -   Alternatively, the provided embodiment above may be applied if        the configuration update command message indicates that a        registration is required and the message also includes the        Network slicing indication IE with the NSSCI bit (see [3]) set        to “network slicing subscription changed.”    -   Alternatively, the provided embodiment above may not apply,        i.e., the UE continues with both the NSSAA procedure and the        generic UE configuration update procedure, if the UE is        requested to perform a registration while in connected mode        e.g., when the MICO indication IE is present in the        configuration update command message. Note that the presence of        the MICO indication IE is an example of when the UE is requested        to perform a registration procedure in connected mode but there        can be other cases for which the UE is requested to perform a        registration in connected mode and for these cases the provided        embodiment above does not apply.        -   Note: “the provided embodiment above may not apply” means            that the UE does not ignore the NSSAA procedure and the UE            continues to process both the network slice-specific            authentication command message and the configuration update            command message and none of the procedures is aborted.

Case 3: Solution for Collision Between a Service Request Procedure andNSSAA Procedure

As described above, during an ongoing NSSAA procedure e.g., over the3GPP access, the UE may initiate the service request procedure over thenon-3GPP procedure.

When the AMF receives a service request message over the non-3GPP accessfrom a UE that is in 5GMM-CONNECTED mode over the non-3GPP access, ifthe:

-   -   AMF has initiated NSSAA for the UE over the same or a different        access,    -   And optionally the AMF has sent the registration accept message        (prior to the start of NSSAA) to the UE over a different access        where the message contains a pending NSSAI IE and the 5GS        registration result IE indicating “NSSAA to be performed,” and        the message does not contain the allowed NSSAI IE,    -   And the AMF receives a service request message from the UE over        the non-3GPP access, optionally from a UE that is in        5GMM-CONNECTED mode, and optionally the service request message        includes the Uplink data status IE,        then the AMF may abort the service request procedure (i.e.,        ignore the service request message) and proceed with the NSSAA        procedure (i.e., send the network slice-specific authentication        command message to the UE if not yet sent, or process the        network slice-specific authentication complete message from the        UE if received).

Otherwise, if the conditions above are not met, the AMF may process bothprocedures simultaneously.

3. Handling of Abnormal Cases

Case 1: Transmission Failure of the Network Slice-SpecificAuthentication Complete Message with TAI Change from Lower Layers

As specified in [3], when the identified abnormal case occurs, the UEaborts the network slice-specific authentication and authorizationprocedure and a registration procedure for mobility and periodicregistration update indicating “mobility registration updating” in the5GS registration type IE of the REGISTRATION REQUEST message may beinitiated. In this case, the UE may also include the requested NSSAI IEor the requested mapped NSSAI IE, or both IEs, even if the S-NSSAIentries that constitute these IEs are in the pending NSSAI IE.

Alternatively, the IEs may be included if in the previous or lastregistration procedure the UE had sent a requested NSSAI IE or therequested mapped NSSAI IE, or both IEs, even if the UE has a pendingNSSAI list for which the S-NSSAI entries were previously included inrequested NSSAI IE or the requested mapped NSSAI IE, or both IEs.

Case 2: NSSAA Performed for an S-NSSAI that is in the Allowed NSSAI Listor is not in the Pending NSSAI

The UE may perform a registration procedure, e.g., for initialregistration, and the UE may get an allowed NSSAI in the registrationaccept message that may include a pending NSSAI.

After the registration procedure completes, the AMF may initiate NSSAAand send the network slice-specific authentication command message andthe S-NSSAI field set to a value that is either in the allowed NSSAI oris not in the pending NSSAI. When this occurs, optionally after aninitial registration, the UE may consider this as an abnormal case or anerror.

When the UE considers a network slice-specific authentication commandmessage as problematic or erroneous or as an abnormal case, such as butnot limited to the example scenario discussed above, the UE may send the5GMM status message to the AMF as defined in [3]. In this case, the UEcan use a new 5GMM cause code that is indicative of an error with NSSAAe.g., “Network Slice-Specific Authorization and Authentication Error.”Note that this is an example 5GMM cause code but any other value can bedefined for this purpose.

Alternatively, a new 5GMM message can be used for this purpose. Forexample, a new Network Slice-Specific Authentication reject message canbe defined to report an error or abnormal case such as the scenariodescribed above. The new message may include at least the S-NSSAI thatwas received in the corresponding network slice-specific authenticationcommand message, a 5GMM cause and optionally an EAP message. The EAPmessage may be the same message that was received in the correspondingnetwork slice-specific authentication command message.

When the UE sends either the 5GMM Status message or the new NAS messageas provided above, the UE may optionally send the list of allowed NSSAIand pending NSSAI to the AMF to inform the AMF of the S-NSSAIs that areavailable in the UE for each list. The provided new message, i.e.,network slice-specific authentication message is shown in Table 1 below.

TABLE 1 Pre- For- IEI Information Element Type/Reference sence matLength Extended protocol Extended protocol M V 1 discriminatordiscriminator 9.2 Security header type Security M V 1/2 header type 9.3Spare half octet Spare half octet M V 1/2 9.5 NETWORK SLICE- Messagetype M V 1 SPECIFIC 9.7 AUTHENTICATION RESULT message identity S-NSSAIS-NSSAI M LV 2-5 9.11.2.8 EAP message EAP message M LV-E 6-1502 9.11.2.2Allowed NSSAI NSSAI 0 TLV 4-74 9.11.3.37 Pending NSSAI NSSAI 0 TLV 4-749.11.3.37 Rejected NSSAI Rejected NSSAI 0 TLV 4-42 9.11.3.46

Note that the IEs in the message above may be optional (identified by“0” in the Presence column) although some are shown as mandatory(identified by “M” in the Presence column), or vice versa.

When the AMF receives the new message or the 5GMM Status message asprovided above with the new 5GMM cause code, the AMF may re-initiate theNSSAA procedure with the correct S-NSSAI. If the 5GMM cause codeindicates that the S-NSSAI is incorrect, then the AMF may re-initiateNSSAA with the correct S-NSSAI optionally by ensuring that the S-NSSAIused is actually part of the pending NSSAI list in the UE, where thelatter may also have been received by the AMF.

It may be possible that running NSSAA for an S-NSSAI which is not in thepending NSSAI list is not an error or abnormal case. For example, thiscan occur for a default S-NSSAI(s) that the UE did not request but theAMF needs to perform NSSAA for. Therefore, an alternative approach wouldbe for the UE to continue processing the related NSSAA message even ifthe S-NSSAI for which NSSAA is being performed is not in the pendingNSSAI (or optionally is in the allowed NSSAI).

Another way to indicate to the UE that the NSSAA procedure is noterroneous it to include a new indication in the network slice-specificauthentication command message such that the recipient (e.g., the UE) isinformed about the procedure being intentional i.e., is not an error.The indication can be in any form such as defining an operation typewhere the operation may be set to e.g., “initial NSSAA,”“re-authentication,” “NSSAA for default slice,” etc. This indication canbe in the form of a new IE. Note that this indication can be used ingeneral to indicate to the UE why the specific NSSAA message is beingsent. The UE can use this indication to identify whether the messagebeing sent is for initial NSSAA or re-run of NSSAA, etc, and hence theUE can take specific actions based on this. For example, if the networkis performing re-authentication for a certain S-NSSAI that is in theallowed NSSAI, the UE may block 5GSM requests that are associated withthat S-NSSAI given the UE knows that the NSSAA procedure is a re-run andhence the UE does not consider it to be an error.

Currently the involvement of the UE, specifically the 5GMM entity in theUE, for NSSAA is that the NAS forwards the contents of the NETWORKSLICE-SPECIFIC SESSION AUTHENTICATION COMMAND message to the upperlayers. However, it may be good for the UE (or NAS or 5GMM entity) totake other actions such as ensuring that the S-NSSAI received in themessage is part of any combination of:

-   -   the pending NSSAI list;    -   the allowed NSSAI; or    -   the rejected NSSAI.

The UE can then take any of the provided action when a condition for thecheck occurs.

Alternatively, the UE can also check if the S-NSSAI is not part of theallowed NSSAI and also not part of the pending NSSAI, and if so then theUE may consider this an error and take any of the provided actionsabove.

Note that if the AMF receives a network slice-specific sessionauthentication complete message and the S-NSSAI that is included in themessage is not valid e.g., it does not match any of the S-NSSAIs forwhich NSSAA is ongoing or it is not part of the S-NSSAIs for which NSSAAis being performed, or it is not part of the pending NSSAI list in theAMF, the AMF may ignore or discard the received message and re-transmitthe network slice-specific session authentication command message with avalid S-NSSAI (i.e., one for which NSSAA is ongoing or is not yetcomplete or one that is not the same as what is known to be invalid).Note that this requires that the AMF stores and compares the S-NSSAIsent in the network slice-specific authentication message with theS-NSSAI that is received in the network slice-specific sessionauthentication complete message. When there is no match or when theS-NSSAI received in the network slice-specific session authenticationcomplete message is not part of the S-NSSAI for which NSSAA is ongoing(as described in different ways above), the AMF may ignore the receivedmessage or optionally abort the existing procedure and resend thenetwork slice-specific session authentication command message with thedesired and valid S-NSSAI.

Note that in this entire document, the term “NSSAA to be performed” issynonymous with receiving the 5GS registration result IE with the “NSSAAto be performed” indicator set to “network slice-specific authenticationand authorization is to be performed.”

Case 3: Unnecessary Release of a NAS Connection

To ensure that T3540 is started correctly during a registrationprocedure, in addition to what is specified in section 5.3.1.3 of theNAS specification in [3] for case (b) (i.e., reception of registrationaccept by the UE), the UE has to also check for the followingconditions:

-   -   Whether the registration accept message indicates “NSSAA to be        performed” in the 5GS registration result IE, or    -   Whether the registration accept message includes a pending NSSAI        (i.e., does not include the pending NSSAI IE).

If the registration accept:

-   -   indicates “NSSAA to be performed” in the 5GS registration result        IE, or    -   includes a pending NSSAI (i.e., does not include the pending        NSSAI IE), then the UE may not start T3540.

If T3540 is running in the UE, then upon reception of the networkslice-specific authentication command message the UE may stop T3540.

4. Allowing Some Procedures when NSSAA is Ongoing

The UE may be in 5GMM-CONNECTED mode at least over the non-3GPP access,and optionally over the 3GPP access, and the AMF may be performing anNSSAA procedure over the non-3GPP access or optionally over the 3GPPaccess. The UE may have received a pending NSSAI IE in the registrationaccept message but no allowed NSSAI IE and the 5GS registration resultIE may have indicated “NSSAA to be performed.”

While NSSAA is ongoing, the UE may lose its lower layer connection overthe non-3GPP access. When the connection is regained, the NAS mayreceive an indication from the lower layers of non-3GPP access that theaccess stratum connection is established between UE and network.Although NSSAA is ongoing the UE may send initiate the service requestprocedure and send the service request message over the non-3GPP accesseven if NSSAA is ongoing with the conditions above.

The above can also be achieved by enforcing a restriction on the UEregarding the service request procedure such that the UE may notinitiate the service request procedure (i.e., may not send the servicerequest message) during an ongoing NSSAA procedure (optionally if the UEhas received a pending NSSAI, and has not received an allowed NSSAI, andthe 5GS registration result IE indicates “NSSAA to be performed”) from5GMM-CONNECTED mode. Therefore, the restriction does not apply to a UEin 5GMM-IDLE mode. Thus when the UE in 5GMM-IDLE mode over the non-3GPPaccess receives an indication from the lower layers of non-3GPP accessthat the access stratum connection is established between UE and networkthen the UE would be able, and may, send the service request messageover the non-3GPP access to establish the NAS connection with thenetwork. The UE may send the service request message even if NSSAA isongoing over the 3GPP access with the conditions above (regarding whatthe UE received, or did not receive, in the registration accept messagee.g., even if the UE did not receive an allowed NSSAI in theregistration accept message). Note that the provided embodiment appliesto both initial registration and registration for mobility and periodicupdating.

Note that the UE may be allowed to send the service request message in5GMM-CONNECTED mode if the UE is doing so for the purpose of requestingthe establishment of user plane resources for a PDU session foremergency services or for a PDU session for which the UE has exceptiondata reporting to send. Similarly, the UE may be allowed to send dataover the control plane (i.e., to send UL NAS transport message with CIoTuser data or location services, or optionally SMS) when the UE is doingso for exception data reporting or if the UE is a high priority accessUE.

Alternatively, when the NAS receives an indication from the lower layersof non-3GPP access that the access stratum connection is establishedbetween UE and network, the UE may send a registration request messageinstead of a service request procedure. The UE may include the requestedNSSAI IE, or the requested mapped NSSAI IE, or both, if the UE hadincluded one or both of these IEs during the last registration procedure(or if the UE has slice information for the current PLMN) even if theS-NSSAIs are included in the current pending NSSAI list in the UE.

Note that provided embodiments above can also apply during any otherprocedure and are not limited to the registration procedure. Forexample, if in the future the configuration update command message canbe used to provide the UE with a pending NSSAI and optionally no allowedNSSAI, and optionally based on the contents of the message the UEconsiders that it has no valid allowed NSSAI, then if the lower layerconnection fails and later gets established (as described above), theprovided embodiments above would still apply. Hence the providedembodiments are not limited to the registration procedure only and mayapply during any procedure or at any time in connected mode at which theUE determines that it has no allowed NSSAI.

The NAS specification [3] already allows the UE to initiate a 5GSMprocedure e.g., PDU session establishment procedure, during NSSAA whenthe conditions above are met (i.e., the UE received a pending NSSAI IEin the registration accept message but no allowed NSSAI IE and the 5GSregistration result IE may have indicated “NSSAA to be performed”).However, if the UE does send a PDU Session Establishment request message(in the UL NAS TRANSPORT message) then the UE may not include theS-NSSAI IE in the UL NAS TRASNPORT message since the UE does not have anallowed NSSAI yet. Alternatively, the UE may include the S-NSSAI IE andset it to a pre-configured value in the UE.

5. Recovery from Fallback During NSSAA

As explained above, the UE may receive a fallback indication duringNSSAA and hence the UE has a pending NAS procedure (e.g., the UE mayneed to send a NAS message in response to the network slice-specificauthentication command message). When the fallback occurs, the UE cantake any of the following measures as a provided embodiment to recoverfrom fallback:

-   -   The UE may be allowed to initiate a service request procedure        (i.e., send a service request message) to recover from fallback        as currently specified. To allow this, the current restriction        that the service request procedure may not be allowed during        NSSAA needs to be updated such that more exceptions are defined        to solve this problem. For example, the restriction (prohibiting        the UE from initiating a service request procedure during NSSAA)        may not apply to the service request procedure that is being        initiated from 5GMM-IDLE mode. Thus, the UE with a pending NSSAI        and during an NSSAA procedure (optionally if the UE does not        have an allowed NSSAI, or if the UE received the “NSSAA to be        performed indicator” indicating that NSSAA is to be performed)        may be allowed to send a service request message from 5GMM-IDLE        mode to recover from fallback.        -   Optionally the above may be allowed only if the UE has            already registered to the system, or if the NSSAA is being            performed following a registration procedure with the 5GS            registration type IE set to “mobility registration updating”            or “periodic registration updating.”        -   Optionally, when sending the service request message the UE            may not include the Uplink data status IE unless if the            corresponding PDU session (for which a particular bit is set            to one in the IE) is associated with an S-NSSAI that is in            the allowed NSSAI, or associated with an S-NSSAI for which            NSSAA is not ongoing, or the PDU session is an always on PDU            session, or if the PDU session had user plane resources            established prior to the fallback indication    -   Alternatively, if in order to recover from the fallback, the UE        may send the registration request message with the 5GS        registration type IE set to “mobility registration updating.”        The UE is allowed to include the requested NSSAI IE or the        requested mapped NSSAI IE in the registration request that is        transmitted to recover from fallback even if the entries are in        the pending NSSAI or even if the UE has a pending NSSAI.

Note that the provided embodiment above may also apply at any time whenthe UE is in connected mode and NSSAA is ongoing and the UE receives afallback indication. Hence, the provided UE behaviour is not restrictedto the scenario occurring only during a registration procedure. Theprovided embodiments still apply if other procedures are ongoing or ingeneral for a UE that is connected mode.

-   -   Optionally, when sending the service request message the UE may        not include the Uplink data status IE unless if the        corresponding PDU session (for which a particular bit is set to        one in the IE) is associated with an S-NSSAI that is in the        allowed NSSAI, or associated with an S-NSSAI for which NSSAA is        not ongoing, or the PDU session is an always on PDU session.

When the AMF receives either the service request message or theregistration request message as provided above, and the AMF has anongoing NSSAA procedure, the AMF may process the service request messageor registration request message and optionally abort the NSSAAprocedure. The AMF may determine to do so based on the fact that the NASmessage is received as an initial NAS message from the N2 interface andprotocol that runs between the NG-RAN and the AMF.

6. Stopping of Timer T3346 when the UE Receives a NAS Message for NSSAA

It is provided that the UE may stop T3346, if running, upon thereception of a network slice-specific authentication command message.Hence, upon reception of a NETWORK SLICE-SPECIFIC AUTHENTICATION COMMANDmessage, the UE may stop the timer T3346 if running.

7. Solution for Considering the Type of Registration Update for NSSAA

It is provided that the current handling of NSSAA be performed only whenthe 5GS registration type IE indicates “mobility registration updating”in the registration request message optionally when the NAS message isreceived from a UE that is not in narrow band-N1 (NB-N1) mode.Therefore, the AMF may take the actions that are currently specified inTS 24.501 if the 5GS registration type IE indicates “mobilityregistration updating” in the registration request message optionallywhen the NAS message is received from a UE that is not in NB-N1 mode.

The AMF may have new NSSAI information for the UE i.e., the allowedNSSAI that was previously sent to the UE may have changed. The new NSSAIthat the UE can use may also require NSSAA to be performed. In fact theAMF may be required, due to internal policy or as requested by the NSSAArelated AAA server, to re-initiate NSSAA for the UE. The UE may thensend a registration request with the 5GS registration type IE indicating“periodic registration updating,” or “mobility registration updating”for the UE that is in NB-N1 mode. The following is therefore provided:

-   -   The AMF need not take any actions if the allowed NSSAI has not        changed for the UE and NSSAA is not required to be re-initiated        for the UE; and    -   If the allowed NSSAI (or S-NSSAIs that the UE is allowed to use)        has changed, and at least one of the new S-NSSAIs requires        NSSAA, the AMF may:        -   Send the allowed NSSAI to the UE where the allowed NSSAI            contains the S-NSSAIs for which re-initiation of NSSAA is            not required, if any, or        -   Send the pending NSSAI containing the S-NSSAIs for which            NSSAA needs to be re-initiated. Additionally, if no allowed            NSSAI can be provided to the UE, the AMF may also set the            “NSSAA to be performed” indicator in the 5GS registration            result IE. The contents of the pending NSSAI may also            include the default slices (i.e., the slices that are marked            as default slices in the subscription information of the UE            and that require NSSAA to be initiated or re-initiated).

During a periodic registration procedure (i.e., the 5GS registrationtype IE indicates “periodic registration updating”), or during aregistration procedure for which the 5GS registration type IE is set to“mobility registration updating,” the UE may receive a pending NSSAI inthe registration accept message. The UE behaves in the similar manner asis currently specified when the same information is received in aregistration accept message as part of a registration procedure that isnot triggered for periodic updating.

If the 5GS registration result IE indicates “NSSAA to be performed” inregistration accept message, and the 5GS registration type IE in theregistration request message indicated:

a) “periodic registration updating” (i.e., the procedure was triggereddue to periodic registration update); orb) “mobility registration updating” and the UE is in NB-N1 mode (i.e.,the procedure was not triggered by the NB-N1 mode UE for periodicregistration update), the UE may consider the previous stored allowedNSSAI as invalid i.e., the UE may delete any stored allowed NSSAI.

Note that the provided embodiment above i.e., to consider the storedallowed NSSAI as invalid can alternatively also apply to all UEs thatsend a registration request message with 5GS registration type IE set to“mobility registration updating” and the UE then gets the 5GSregistration result IE indicating “NSSAA to be performed” inregistration accept message.

It may be noted that in the entire document, the term “NSSAA to beperformed” is synonymous with the “NSSAA to be performed indicator” thatis set to the value “network slice-specific authentication andauthorization is to be performed.”

Note that the AMF can also reject the UE's registration request message,for which the 5GS registration type IE indicates “periodic registrationupdating” (i.e., the procedure was triggered due to periodicregistration update) or indicates “mobility registration updating” andthe UE is in NB-N1 mode (i.e., the procedure was not triggered by theNB-N1 mode UE for periodic registration update) if NSSAA is revoked forall the slices although the UE did not send the requested NSSAI IE (orthe requested mapped NSSAI IE) in the registration request message. TheAMF takes the same behaviour as has been provided earlier in thisdocument (for the case when the AMF needs to consider the requestedmapped NSSAI IE and/or the requested NSSAI IE).

Certain examples of the present disclosure provide a method, for anetwork entity (e.g., an AMF entity), the method comprising: if anallowed NSSAI for a UE has changed from an allowed NSSAI that waspreviously sent to the UE, and at least one new S-NSSAI requires NSSAA,sending, to the UE: an allowed NSSAI containing S-NSSAIs for which are-initiation of NSSAA is not required, and/or a pending NSSAIcontaining S-NSSAIs for which NSSAA needs to be re-initiated. Theskilled person will appreciate that this technique may be applied to thecases described above under item 7 (i.e., the UE is performing periodicupdate, or the NB-N1 mode UE is sending registration request formobility updating). In either case, the AMF does not receive a requestedNSSAI and hence certain examples send: (a) an allowed NSSAI with slicesthat are allowed to use, (b) pending NSSAI if NSSAA is requires for some(potentially new) slices.

Certain examples of the present disclosure provide a method, for anetwork entity (e.g., an AMF entity), the method comprising: if anallowed NSSAI for a UE has changed from an allowed NSSAI that waspreviously sent to the UE, and at least one new S-NSSAI requires NSSAA,sending, to the UE: an allowed NSSAI containing S-NSSAIs for which are-initiation of NSSAA is not required, and/or a pending NSSAIcontaining S-NSSAIs for which NSSAA needs to be re-initiated. Theskilled person will appreciate that this technique may be generalised toall types of registration requests for which the UE may set the allowedNSSAI as invalid if “NSSAA to be performed” is received.

FIG. 6 is a block diagram of an exemplary network entity that may beused in examples of the present disclosure. For example, the UE and/orAMF may be provided in the form of the network entity illustrated inFIG. 6. The skilled person will appreciate that the network entityillustrated in FIG. 6 may be implemented, for example, as a networkelement on a dedicated hardware, as a software instance running on adedicated hardware, or as a virtualised function instantiated on anappropriate platform, e.g., on a cloud infrastructure.

The entity 600 comprises a processor (or controller) 601, a transmitter603 and a receiver 605. The receiver 605 is configured for receiving oneor more messages or signals from one or more other network entities. Thetransmitter 603 is configured for transmitting one or more messages orsignals to one or more other network entities. The processor 601 isconfigured for performing one or more operations and/or functions asdescribed above. For example, the processor 601 may be configured forperforming the operations of a UE or AMF.

The techniques described herein may be implemented using any suitablyconfigured apparatus and/or system. Such an apparatus and/or system maybe configured to perform a method according to any aspect, embodiment,example or claim disclosed herein. Such an apparatus may comprise one ormore elements, for example one or more of receivers, transmitters,transceivers, processors, controllers, modules, units, and the like,each element configured to perform one or more corresponding processes,operations and/or method steps for implementing the techniques describedherein. For example, an operation/function of X may be performed by amodule configured to perform X (or an X-module). The one or moreelements may be implemented in the form of hardware, software, or anycombination of hardware and software.

It will be appreciated that examples of the present disclosure may beimplemented in the form of hardware, software or any combination ofhardware and software. Any such software may be stored in the form ofvolatile or non-volatile storage, for example a storage device like aROM, whether erasable or rewritable or not, or in the form of memorysuch as, for example, RAM, memory chips, device or integrated circuitsor on an optically or magnetically readable medium such as, for example,a CD, DVD, magnetic disk or magnetic tape or the like.

It will be appreciated that the storage devices and storage media areembodiments of machine-readable storage that are suitable for storing aprogram or programs comprising instructions that, when executed,implement certain examples of the present disclosure. Accordingly,certain example provides a program comprising code for implementing amethod, apparatus or system according to any example, embodiment, aspectand/or claim disclosed herein, and/or a machine-readable storage storingsuch a program. Still further, such programs may be conveyedelectronically via any medium, for example a communication signalcarried over a wired or wireless connection.

Although the present disclosure has been described with variousembodiments, various changes and modifications may be suggested to oneskilled in the art. It is intended that the present disclosure encompasssuch changes and modifications as fall within the scope of the appendedclaim.

What is claimed is:
 1. A method of a user equipment (UE), the methodcomprising: transmitting, by the UE to a network entity, a registrationrequest message including a registration type information element (IE)indicating a periodic registration updating or a mobility registrationupdating; receiving, by the UE from the network entity, a registrationaccept message including a pending network slice selection assistantinformation (NSSAI); and determining, by the UE, that a previouslyreceived allowed NSSAI as invalid based on the registration acceptmessage.
 2. The method according to claim 1, wherein the registrationaccept message includes a registration result IE with an indicatorindicating a network slice-specific authentication and authorization(NSSAA) is to be performed in case that the registration accept messagedoes not include an allowed NSSAI.
 3. The method according to claim 1,further comprising: transmitting, by the UE, a service request messagein case that the registration accept message does not include an allowedNSSAI and the UE in an idle mode receives an indication that an accessstratum connection is established between the UE and the network entity.4. The method according to claim 1, further comprising: transmitting, bythe UE to the network entity, a service request message in case that theregistration accept message does not include an allowed NSSAI and the UEin a connected mode receives a fallback indication and the UE has apending procedure.
 5. The method according to claim 4, wherein thepending procedure is a network slice-specific authentication andauthorization (NSSAA) procedure.
 6. The method according to claim 1,wherein the UE is in a narrow band mode allowing access to a fivegeneration (5G) network in case that the registration type informationelement (IE) indicates the mobility registration updating.
 7. A methodof a network entity, the method comprising: receiving, by the networkentity from a user equipment (UE), a registration request messageincluding a registration type information element (IE) indicating aperiodic registration updating or a mobility registration updating; andtransmitting, by the network entity to the UE, a registration acceptmessage including a pending network slice selection assistantinformation (NSSAI).
 8. The method according to claim 7, wherein theregistration accept message includes a registration result IE with anindicator indicating a network slice-specific authentication andauthorization (NSSAA) is to be performed.
 9. The method according toclaim 7, further comprising: receiving, by the network entity from theUE, a service request message in case that the registration acceptmessage does not include an allowed NSSAI and the UE in an idle modereceives an indication that an access stratum connection is establishedbetween the UE and the network entity.
 10. The method according to claim7, further comprising: receiving, by the network entity from the UE, aservice request message in case that the registration accept messagedoes not include an allowed NSSAI and the UE in a connected modereceives a fallback indication and the UE has a pending procedure,wherein the pending procedure is a network slice-specific authenticationand authorization (NSSAA) procedure.
 11. A user equipment (UE), the UEcomprising: a transceiver; and at least one processor configured tocontrol the transceiver to: transmit, to a network entity, aregistration request message including a registration type informationelement (IE) indicating a periodic registration updating or a mobilityregistration updating, receive, from the network entity, a registrationaccept message including a pending network slice selection assistantinformation (NSSAI), wherein the processor is further configured todetermine that a previously received allowed NSSAI as invalid based onthe registration accept message.
 12. The UE according to claim 11,wherein the registration accept message includes a registration resultIE with an indicator indicating a network slice-specific authenticationand authorization (NSSAA) is to be performed in case that theregistration accept message does not include an allowed NSSAI.
 13. TheUE according to claim 11, wherein processor is further configured tocontrol the transceiver to: transmit a service request message in casethat the registration accept message does not include an allowed NSSAIand the UE in an idle mode receives an indication that an access stratumconnection is established between the UE and the network entity.
 14. TheUE according to claim 11, further comprising: transmitting, by the UE tothe network entity, a service request message in case that theregistration accept message does not include an allowed NSSAI and the UEin a connected mode receives a fallback indication and the UE has apending procedure.
 15. The UE according to claim 14, wherein the pendingprocedure is a network slice-specific authentication and authorization(NSSAA) procedure.
 16. The UE according to claim 11, wherein the UE isin a narrow band mode allowing access to a five generation (5G) networkin case that the registration type information element (IE) indicatesthe mobility registration updating.
 17. A network entity, the networkentity comprising: a transceiver; and at least one processor configuredto control the transceiver to: receive, from a user equipment (UE), aregistration request message including a registration type informationelement (IE) indicating a periodic registration updating or a mobilityregistration updating; and transmit, to the UE, a registration acceptmessage including a pending network slice selection assistantinformation (NSSAI).
 18. The network entity according to claim 17,wherein the registration accept message includes a registration resultIE with an indicator indicating a network slice-specific authenticationand authorization (NSSAA) is to be performed.
 19. The network entityaccording to claim 17, wherein processor is further configured tocontrol the transceiver to: receive, from the UE, a service requestmessage in case that the registration accept message does not include anallowed NSSAI and the UE in an idle mode receives an indication that anaccess stratum connection is established between the UE and the networkentity.
 20. The network entity according to claim 17, wherein processoris further configured to control the transceiver to: receive, from theUE, a service request message in case that the registration acceptmessage does not include an allowed NSSAI and the UE in a connected modereceives a fallback indication and the UE has a pending procedure,wherein the pending procedure is a network slice-specific authenticationand authorization (NSSAA) procedure.